diff options
| author | Nikolay Amiantov <ab@fmap.me> | 2016-09-17 13:43:37 +0300 |
|---|---|---|
| committer | Nikolay Amiantov <ab@fmap.me> | 2016-09-17 15:39:24 +0300 |
| commit | 79d4636d506094eae3c5c7575a0bef817cba9bda (patch) | |
| tree | 44da26dfb6268c65a39f75bbdca784e85196b8d9 /nixos/modules | |
| parent | bf5d2bc215357040d29fec8f4b77cf8922dd208f (diff) | |
| download | nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar.gz nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar.bz2 nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar.lz nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar.xz nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.tar.zst nixlib-79d4636d506094eae3c5c7575a0bef817cba9bda.zip | |
stage-2 init: move /run/keys mount to boot.specialFileSystems
Diffstat (limited to 'nixos/modules')
| -rw-r--r-- | nixos/modules/system/boot/stage-2-init.sh | 10 | ||||
| -rw-r--r-- | nixos/modules/tasks/filesystems.nix | 5 |
2 files changed, 4 insertions, 11 deletions
diff --git a/nixos/modules/system/boot/stage-2-init.sh b/nixos/modules/system/boot/stage-2-init.sh index ae88222f2780..f827e530f877 100644 --- a/nixos/modules/system/boot/stage-2-init.sh +++ b/nixos/modules/system/boot/stage-2-init.sh @@ -111,16 +111,6 @@ rm -f /etc/{group,passwd,shadow}.lock rm -rf /nix/var/nix/gcroots/tmp /nix/var/nix/temproots -# Create a ramfs on /run/keys to hold secrets that shouldn't be -# written to disk (generally used for NixOps, harmless elsewhere). -if ! mountpoint -q /run/keys; then - rm -rf /run/keys - mkdir /run/keys - mount -t ramfs ramfs /run/keys - chown 0:96 /run/keys - chmod 0750 /run/keys -fi - mkdir -m 0755 -p /run/lock diff --git a/nixos/modules/tasks/filesystems.nix b/nixos/modules/tasks/filesystems.nix index 3c822c8716d0..d47f6854e338 100644 --- a/nixos/modules/tasks/filesystems.nix +++ b/nixos/modules/tasks/filesystems.nix @@ -18,7 +18,7 @@ let prioOption = prio: optionalString (prio != null) " pri=${toString prio}"; - specialFSTypes = [ "proc" "sysfs" "tmpfs" "devtmpfs" "devpts" ]; + specialFSTypes = [ "proc" "sysfs" "tmpfs" "ramfs" "devtmpfs" "devpts" ]; coreFileSystemOpts = { name, config, ... }: { @@ -290,6 +290,9 @@ in "/dev" = { fsType = "devtmpfs"; options = [ "nosuid" "strictatime" "mode=755" "size=${config.boot.devSize}" ]; }; "/dev/shm" = { fsType = "tmpfs"; options = [ "nosuid" "nodev" "strictatime" "mode=1777" "size=${config.boot.devShmSize}" ]; }; "/dev/pts" = { fsType = "devpts"; options = [ "nosuid" "noexec" "mode=620" "gid=${toString config.ids.gids.tty}" ]; }; + + # To hold secrets that shouldn't be written to disk (generally used for NixOps, harmless elsewhere) + "/run/keys" = { fsType = "ramfs"; options = [ "nosuid" "nodev" "mode=750" "gid=${toString config.ids.gids.keys}" ]; }; } // optionalAttrs (!config.boot.isContainer) { # systemd-nspawn populates /sys by itself, and remounting it causes all # kinds of weird issues (most noticeably, waiting for host disk device |